Re: TCP Timestamping and Remotely gathering uptime information

[Matt Lewis <barkode-bugtraq () NINJAS ORG>]

Darren Reed said:

> Why do you think all timestamps should not reveal uptime information ?

Well, not to speak on Bret's behalf per se, but personally, I've seen
plenty of software (the quality of which may be in question) that uses
uptime (or clock-ticks-since-boot, whatever) for a variety of things,
albeit ususally trivial.

However, take for example a weak IP stack that uses this data to do ISN
generation for tcp sessions, for instance a trivial time dependency that
takes the uptime of a machine and uses it to compute a poorly-generated
psuedo-random number for use as an ISN.

Not to say this is actually the case, but there's definitely software in
userland that this could affect.

To generalize, if someone knew that a particular application they were
attempting to attack used the uptime of the machine as a seed to
generate some sort of serial, tracking, or sequencing number, or a
temp-file-naming-scheme, etc, it may not be the straw that breaks the
camel's back, but it certainly may help the attacker.

Of course, you're asking for it if you're using uptime as a seed for
anything you want to call a decent PRNG.

-Matt